Deploying VeeamPN as a Client VPN solution

Owned by Tahir Kulelija
Last updated: 28 Sept 2023 by Nicholas Power
4 min read


You can follow this KB article to deploy and configure VeeamPN as a client VPN solution in your vDC.

VeeamPN is a free appliance available from Veeam. It can be used for site to site VPN's as well as a Client VPN solution. Site to Site VPN's are out of scope for this KB.

This guide focuses on a simple Client VPN deployment using VeeamPN to terminate Workstation VPN clients.

In this KB article the VeeamPN appliance will be deployed as a Network Hub and clients added. Meaning all clients will connect back to this appliance.

It is recommended to deploy the appliance in a separate DMZ network and use firewall rules on your NSX to also control access.

VeeamPN uses OpenVPN as the ClientVPN software so you will need to install these on the client workstations:


Windows clients can be obtained from:

https://openvpn.net/community-downloads/

While OSX clients can be obtained from:

https://tunnelblick.net/downloads.html


You can obtain the latest VeeamPN OVA from:  https://www.veeam.com/powered-network.html


Follow this guide to deploy your OVA/OVF https://support.zettagrid.com/?id=kb_article&sys_id=93305f19db792b00e37bcef4059619de


After the VM has been deployed, obtain the IP for your VPN appliance, this can be obtained from by looking at the VM list and the IP address column, for example from the HTML5 portal below:



Open a browser and browse to the IP of the VeeamPN deployed appliance, you will be prompted with a security warning due to the use of a self signed certificate that will not match the IP, or a valid root cert for now.

NOTE: the default username and password are root and VeeamPN.

If this password does not work use then please the initial password from the VM's guest customisation screen, you will be prompted to change this upon login by the appliance



When you first log in after changing the password you will be presented with a wizard to setup the initial configuration for the appliance.
This involves the type of deployment for the appliance and generating SSL certificates and keys.

Select Network hub to configure the appliance as the central hub

NOTE: Site gateway would only used if this vDC is a remote site connecting back to another Network Hub appliance



Enter your company name, or a unique name to be used for the certificate that is generated for this VPN.

This certificate is used to secure all communications between the clients and the hub.

You may also specific the key length, click next when finished.


The certificate will then be generated, this may take some time depending on key length.


Click ok when done and next.




Enter the Public IP that users will connect to, for most customers this will be a public IP on their NSX Edge


The VeeamPN is now configured as a Hub to accept connections from clients, next steps will be to add users that will be connecting.

To allow external access in to your VPN appliance you will also need to add port-forwards and firewall rules for the specified protocol and port above to the internal IP of the VeeamPN appliance.

Please follow our guide here https://support.zettagrid.com/?id=kb_article&sys_id=e95f35b8db4ff3002c59fe3cbf961981 if you require any assistance.


Users authenticate with the certificate and private key, this is generated when the user is created. A configuration file is also generated with the filename as the client name.

This file contains all settings as well as the certificate and private keys required to connect. Remember to keep these in a safe place and it is recommended not to email these out.


To add clients, select clients from the menu on the left hand side.


To configure a client workstation for the VPN select Standalone computer


Enter a descriptive name for the user (this will not be their username).



To use split-tunnelling that is route only specific traffic route over the VPN while all internet traffic remains local over the users connection, ensure the "Use HUB as default gateway" is left unticked

You can then manually edit the VPN configuration files after creating them to add required routes and DNS servers,

For example after creating the client and obtaining the *.ovpn configuration file, add the following lines before the section in the file.


route 192.168.0.0 255.255.0.0 10.210.0.1

dhcp-option DNS 192.168.3.1


This adds a static route for 192.168.0.0/16 via the VeeamPN gateway and sets the DNS server to use. Replace these IP's and subnets as appropriate for your network.


If your VeeamPN architecture involves deploying a number of site-gateways, the networks for these will be automatically pushed to clients.


This user is now setup, click finish

When you click finish the file will be automatically downloaded.

Remember to edit the configuration file if required as detailed above to use split tunnelling and provide routes to end users to access the vDC resources.

Remember to keep these in a safe secure place as they do contain the private key for each user.



Now you will need to install this configuration file as well as OpenVPN on the users workstation.

When the client is installed, install the configuration file onto the users laptop or workstation you will now be able to connect to your VPN.